Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:106155
Content-Type: multipart/alternative;
	boundary=Apple-Mail-A8FBC669-D474-4F50-BA9F-82EB301E16A1
Mime-Version: 1.0 (1.0)
In-Reply-To: <CAF+90c9feYLNafqdqAhfe7Zp=Q0n5CVH80EPCu5su5WouuPpyA@mail.gmail.com>
Date: Fri, 5 Jul 2019 12:51:16 +0200
Cc: PHP internals <internals@lists.php.net>
Content-Transfer-Encoding: 7bit
Message-ID: <5E32DB49-D0E8-477D-AEE4-C4278095F9D5@beccati.com>
References: <e0af1d39-9468-f845-6784-4308a4c8a201@beccati.com> <CAF+90c_nK=R=FDgX_xS388xsZJQ1UfANC61Fb7joyeCY9i-+rQ@mail.gmail.com> <e1f365d3-b055-57dd-d895-ffcc0a78c895@beccati.com> <CAF+90c9feYLNafqdqAhfe7Zp=Q0n5CVH80EPCu5su5WouuPpyA@mail.gmail.com>
To: Nikita Popov <nikita.ppv@gmail.com>
Subject: Re: [PHP-DEV] [RFC] Escape PDO "?" parameter placeholder
From: php@beccati.com (Matteo Beccati)

--Apple-Mail-A8FBC669-D474-4F50-BA9F-82EB301E16A1
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi Nikita,

> On 5 Jul 2019, at 12:37, Nikita Popov <nikita.ppv@gmail.com> wrote:
>=20
>> On Tue, Jul 2, 2019 at 8:22 PM Matteo Beccati <php@beccati.com> wrote:
>> Hi Nikita,
>>=20
>> On 02/07/2019 15:07, Nikita Popov wrote:
>> > Friendly reminder that this RFC needs to go into voting until Monday
>> > (preferably earlier) to make it into 7.4.
>>=20
>> Thanks! Without the reminder, I would probably have missed it.
>>=20
>> > Here's my feedback:
>> >=20
>> >  * I would prefer to make escaping not driver-sensitive, as the current=

>> > implementation is. Whether ?? is interpreted as a single ? or ?? should=
 not
>> > depend on the driver.
>>=20
>> Most of the feedback I had was quite the opposite (fear of desruption in
>> the other drivers). In fact in the latest iteration, I went for PDO API
>> setting, that lets the driver decide whether or not to enable the
>> feature, which means only pdo_pgsql would be affected:
>>=20
>> https://github.com/mbeccati/php-src/commit/b8a9703b805e0dffd618823656c861=
0777efdc3e
>=20
> This sounds nice now -- but what if another database adds an operator usin=
g ? in the future? We'd have to enable support for ? escaping at that point.=
 This would leave us with a mess where ? escaping is available or not availa=
ble depending on the specific combination of database driver + PHP version y=
ou are using. As the BC concern here seems to be purely theoretical (as far a=
s I can see), it seems better to do this for all drivers at the same time.=20=


Makes sense and it=E2=80=99s a very good point.

>> >  * I would prefer to use \? instead of ?? for escaping. The former is m=
uch
>> > more easily understood by a PHP developer and has less chance of clashi=
ng
>> > with operators (PHP itself has a ?? operator, it's not so absurd to thi=
nk
>> > that it also exists elsewhere). The RFC argues against this because it
>> > makes writing a literal \? harder (which would be \\\\?), but I think t=
hat
>> > a) the need for a literal \? seems rather rare and b) double-escaping i=
s
>> > already a well-understood problem for anyone who ever used regular
>> > expressions.
>>=20
>> Fair enough. Tbh, I have no strong preference... Would "\?" require also
>> implementing escape of the escape? Would that require some re2c magic?
>=20
> Yeah, we'd probably need to support escape of the escape for consistency, e=
ven if nobody needs it. Overall I'm okay either way here. I think \? will be=
 more obvious for PHP programmers, but seeing the JDBC document you linked (=
https://jdbc.postgresql.org/documentation/head/statement.html) there is exis=
ting precedent for using ?? and it may be worthwhile to follow it.

Would it be possible or even recommended to add a second vote to decide whic=
h one to use?


Cheers=

--Apple-Mail-A8FBC669-D474-4F50-BA9F-82EB301E16A1--